000029638 - Authentication Manager 8.1 SP1 replica attaches but replication fails with an error: "Duplicate key value violates unique constraint"

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029638
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1. SP1
 
IssueNew Replica appears to attach but then internal replication error, cannot replicate, fails with ERROR: duplicate key value violates unique constraint "ak_ims_principal_isrcid_uid" 
Details
ReplicationRunnable.logOrThrowBeforeReInit(168) | cisrsa01a.caci.com,,,,database connection failure: PreparedStatementCallback; SQL []; FATAL: terminating connection due to administrator command; nested exception is org.postgresql.util.PSQLException: FATAL: terminating connection due to administrator command 
pm2-ace03.caci.com,,,,failed to apply change: 
[table] ims_principal_data 
[stmt type] U 
[old] (8ef768d2bac90e0a043397ada3b02b94,1420579302007,24,,,,,,,,,jaguillette,,,,,,,,f,,,,,,,0101000,,"\\ed\\51\\9a\\4a\\0d\\d3\\8e\\46\\98\\a9\\9e\\64\\f6\\4a\\36
19",,0,,,,,,-1,f,,) 
[new] (8ef768d2bac90e0a043397ada3b02b94,1423516932791,25,,,,,,,,,jguillette,,,,,,,,f,"2015-02-09 21:22:12.791",,,,,,0101000,,"\\4b\\91\\14\\b5\\2f\\3a\\08\\46\\82\\75\\03\\39\\58\\8f\\48 
0d",,0,,,,,,-1,f,,) 
@@@2015-02-09 16:23:00,266 FATAL [ApplyR2P-6fa79c0be9c80e0a0801128a9e2d9533 Last Applied Chgset Id: 52214 Last Received (from replica) Chgset Id: 52215 Next Chgset Id To Apply: 52215 Curr Repl Txn Id: 616220 Repl Chg Id: 159526 Hostname: cisrsa01a.caci.com] 
ServiceCallable.runMainLoop(86) | 006-pm2-ace03.caci.com,,,,Unhandled exception during main loop. Shutting down this service thread. 
com.rsa.replication.UnexpectedApply2PException: unable to apply replica changes 
Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint "ak_ims_principal_isrcid_uid" 
Detail: Key (loginuid, identity_src_id)=(jguillette, 1c166563bac90e0a016d3f1617e2afe4) already exists. 
Where: SQL statement "update rsa_rep.IMS_PRINCIPAL_DATA 
Removed replica from Primary OC, factory reset HW replica, generated new replica package but it failed to attach again, same error
================
Second Symptom: Authentication Failures with Principal Not Found - See KB 000029958
notfound
CauseSomething happened to user in LDAP external Identity Source*, and that user (in example above UserID name is jguillette) either user moved or was placed in a group that is also within the scope of the Identity source, so that this user appears now to be a duplicate.  secondary symptoms include;
 1. unable to edit this user in Security Console, duplicate user error
 2. Cleanup does not fix this situation
If your AD users are deleted and re-created during their move, they would be given a new Object GUID, which would prevent Auth manager from finding their original location in AD, and block a clean-up because there is now an apparent duplicate UserID or SamAccountName.
The RSA Authentication Manager external LDAP Identity Sources find and manage Active Directory Users through a couple of things (See AM 8.1 Admin Guide - search 'Distinguished Name');
  1. Distinguished Name, DN in LDAP terminology, e.g. CN=Guillette\, Jay, OU=Users,DC=rsa, DC=com
  2. Unique Identifier, Object GUID by default or UPN
  3. UserID or SamAccountName
If a User is moved within a Domain, their DN changes but their unique Identifier (ObjectGUID or UPN) remains the same, so Authentication Manager can find and fix them with a Clean-up Job.  But if the User is deleted and re-created in a different location or OU in Active Directory, both their unique Identifier ObjectGUID and their Distinguished Name DN change, and their UserID (SamAccountName) is remembered from the original location and shows up as a duplicate in the new move location.  
You can verify this by looking in AD at the User, Properties, Attribute Editor Tab.  Check the DN and Object GUID before and after any move. 
GUID
If both changed, Authentication Manager will not be able to resolve the user, but also could not clean up because the SamAccountName still exists.
Resolution1. Modify the external LDAP Identity Source user filter under the MAP tab to filter out this user, jguillette, by adding a NOT jguillette samaccountname
     (!(samAccountName=jguillette)
to the default, current user search filter of 
     (objectClass=User)(objectcategory=person)
usersearch
So that you have
      (&(objectClass=User)(objectcategory=person)(!(samAccountName=jguillette))) 
NOT
2. Run a Cleanup job on the Security Console - Setup - Identity sources
3. Remove the NOT jguillette samaccountname part of the user search filter, and change back to your default, e.g.      (objectClass=User)(objectcategory=person)

 
Notesold versions of this error threw "The specified ID is already in use by an unresolvable user within this realm" error

Attachments

    Outcomes